We outline how to review a system and organization controls (SOC) report, an essential part of vendor and risk management functions.
There continues to be a great deal of confusion over how to review a SOC report, the overall reporting structure, and which reports are the best to obtain. The basic intentions of SOC reports are as follows:
- SOC 1 – a report related to internal control over financial reporting
- SOC 2 – a report related to testing the five trust services principles, which include security, availability, processing integrity, confidentiality and privacy
- SOC 3 – a simplified report that covers the same principles in a SOC 2 and is available for public use
In this blog, we won’t go into the details of what report you need to obtain. Here, we’ll help answer the question of what you should be doing once you get the report in your hands.
Knowing how to review a SOC report properly is an essential part of the vendor management and risk management functions and should be taken very seriously. You are only as strong as your weakest link, which could indeed be your vendors.
How to Review a SOC Report
When obtaining the report, make sure it is the correct one. There are vendors that issue anywhere from one to sometimes more than 30 reports for different areas of the business. Ensuring you have the right report increases the efficiency and effectiveness of your review. Case in point; if you are reviewing card issuance procedures, an item processing report will not suffice.
Time Period of Report
You should review the time period of the report to ensure it covers the needs of the user. Reporting periods vary and often don’t cover full calendar years (i.e. reporting period of October 1, 2023 – September 30, 2024). Make sure the time period meets your needs. If there is a gap between the report and the time period you require for your review, you can obtain what is called a bridge letter or comfort letter stating what has occurred since the issuance of the report.
It is a best practice to ensure the report you obtain covers a time period of at least six months, with nine to twelve months being ideal. Ensure that hidden accounts have not been created, as these could be used for illicit activities.
Another high-risk user group is third-party vendors. Vendors come and go from a business environment and often need access to the systems to do the job they were hired for. There is a higher risk for this type of user to not be terminated at the end of the contractual relationship. Often vendors are given remote access, so even if they are not onsite, they could access the network.
Report Coverage
The controls tested in the report should cover the services you rely on the service provider for. The level of specificity varies based on scope, auditor and service provider control structure. You should review the report in detail to ensure your areas of concern and reliance are covered. If they are not, alternative procedures may be necessary.
The service auditor’s opinion on the operating effectiveness of the controls:
The auditor will opine in the report on the operating effectiveness of the controls as being Effective or Ineffective. If you receive an Ineffective opinion, you should seriously investigate why. Ineffective controls at a key service provider could have serious consequences on your own control environment.
Management’s opinion on the operating effectiveness of the controls:
Like the service auditor, management also opines on the operating effectiveness of controls. Take the same considerations as those taken with the auditor’s opinion. If the two opinions differ, conduct an investigation into the reason.
Inclusion of control environment in reports:
A description of the service organization’s control environment is one aspect of reports that may not have been included in the past. This description can provide valuable insights, and you should review it if present.
Control Exceptions
Each report contains a section listing out the controls tested and the results of that testing. You should investigate any exceptions noted for possible impacts on your process. This especially holds true for the controls your organization relies upon.
Vendors who have mature risk management and internal control functions have a minimal amount of exceptions in these reports. Your level of caution should peak if you see a high number while you are reviewing a SOC report.
User Control Considerations
Most reports contain a section that lists controls that should be in place at the user (your) organization. These sections are typically called User Control Considerations, Complementary User Entity Controls, or Description of Client Considerations.
These are controls the service organization is assuming you have in place. They may not all be applicable to your business, but this section provides some great insight and may point out gaps in your control structure. Review and address each user control consideration as applicable.
Subservice Providers
Your service providers may be outsourcing part of the service they provide you. This could include hosting, helpdesk and other essential functions. The SOC report should list what activities are outsourced.
The term used in the report is most typically “subservice provider.” You should determine if you rely on that subservice and if you need to obtain a report from the subservice provider or perform any other sort of investigative activities. Remember, you are only as strong as your weakest link.
Controls & Reports Relied Upon
Remember, it is a good idea to keep a running listing of reports and controls you rely upon at your service organization. This will increase the efficiency and effectiveness of how you review your SOC reports. It will also help manage your risk. Performing your reviews with the proper amount of rigor will help ensure you are practicing proper risk management.
Create an internal checklist for reviewing the SOC reports. This best practice helps you ensure that you’ve covered all the essential areas. We hear stories every week regarding weaknesses at vendors resulting control breakdowns and, in some cases, data breaches. Knowing what to review when you receive your SOC reports is a simple precaution that can save you from significant damages.
Wonder what a cyber attacker sees when they target your organization? Wonder no more. Watch a live network attack demo simulated by an industry-leading offensive security expert. In our on-demand webinar, you’ll learn how to uncover vulnerabilities that the average pen test misses.
